Thom, your reading comprehension is too low to catch this fact mentioned in the article:
He went out of his way to test the exploit before the contest to make sure it would work every time.

In other words, he did not pwn Safari on the spur of the moment in a few seconds! He went to the contest with a known-good exploit that was well-tested long before he ever walked in the door.

That being said, I'd truly love to know exactly what control over the machine he had as a result of that, as the ZDNet article is rather vague beyond stating that. I'm imagining that unless he got the user to enter their password, it wasn't quite as "total" as stated: if you can't enter the password for certain things, or do something to configure things such that you don't need it, it isn't truly total control over the machine, but it can still at least be very damaging to that user's accounts.

He went out of his way to test the exploit before the contest to make sure it would work every time.

Well, it's quite possible the other guys had also prepared for the browsers they worked on.

That being said, I'd truly love to know exactly what control over the machine he had as a result of that, as the ZDNet article is rather vague beyond stating that.

Yeah, I was also wondering how he got control over the machine from the browser. Running code, sure, but that would still only be under the user account.
Then again, having "root" isn't what most malware is interested in anyway.

but it can still at least be very damaging to that user's accounts.

Aside from not being able to change system files and configurations it can still be quite damaging. You can still run botnets from a user account, for example.